wfDebug( "API: stripping user credentials when the same-origin policy is not applied\n" );
$wgUser = new User();
$this->getContext()->setUser( $wgUser );
+ $request->response()->header( 'MediaWiki-Login-Suppressed: true' );
}
}
if ( !$preflight ) {
$response->header(
- 'Access-Control-Expose-Headers: MediaWiki-API-Error, Retry-After, X-Database-Lag'
+ 'Access-Control-Expose-Headers: MediaWiki-API-Error, Retry-After, X-Database-Lag, '
+ . 'MediaWiki-Login-Suppressed'
);
}
}
"apisandbox-sending-request": "Sending API request...",
"apisandbox-loading-results": "Receiving API results...",
"apisandbox-results-error": "An error occurred while loading the API query response: $1.",
+ "apisandbox-results-login-suppressed": "This request has been processed as a logged-out user as it could be used to bypass browser Same-Origin security. Note that the API sandbox's automatic token handling does not work properly with such requests, please fill them in manually.",
"apisandbox-request-selectformat-label": "Show request data as:",
"apisandbox-request-format-url-label": "URL query string",
"apisandbox-request-url-label": "Request URL:",
"apisandbox-sending-request": "JavaScript message displayed while the request is being sent.",
"apisandbox-loading-results": "JavaScript message displayed while the response is being read.",
"apisandbox-results-error": "Displayed as an error message from JavaScript when the request failed.\n\nParameters:\n* $1 - Error message",
+ "apisandbox-results-login-suppressed": "Displayed as a warning when a request was processed as a logged-out user to avoid Same-Origin security bypass.",
"apisandbox-request-selectformat-label": "Label for the format selector on the results page.",
"apisandbox-request-format-url-label": "Label for the menu item to select URL format.\n\nSee also:\n* {{msg-mw|apisandbox-request-selectformat-label}}\n* {{msg-mw|apisandbox-request-url-label}}",
"apisandbox-request-url-label": "Label for the text field displaying the URL used to make this request.\n\nSee also:\n* {{msg-mw|apisandbox-request-format-url-label}}",
'apisandbox-sending-request',
'apisandbox-loading-results',
'apisandbox-results-error',
+ 'apisandbox-results-login-suppressed',
'apisandbox-request-selectformat-label',
'apisandbox-request-format-url-label',
'apisandbox-request-url-label',
} )
.done( function ( data, jqXHR ) {
var m, loadTime, button, clear,
- ct = jqXHR.getResponseHeader( 'Content-Type' );
+ ct = jqXHR.getResponseHeader( 'Content-Type' ),
+ loginSuppressed = jqXHR.getResponseHeader( 'MediaWiki-Login-Suppressed' ) || 'false';
$result.empty();
+ if ( loginSuppressed !== 'false' ) {
+ $( '<div>' )
+ .addClass( 'warning' )
+ .append( Util.parseMsg( 'apisandbox-results-login-suppressed' ) )
+ .appendTo( $result );
+ }
if ( /^text\/mediawiki-api-prettyprint-wrapped(?:;|$)/.test( ct ) ) {
data = JSON.parse( data );
if ( data.modules.length ) {